Offshore Outsourcing of Data Services by Insured Institutions and Associated Consumer Privacy Risks
Offshoring Business Models and Risks
Offshoring Business Models
This study reviewed the four basic forms of offshoring: captive direct, joint venture, direct third-party, and indirect third-party. Each form of conducting offshore outsourcing poses different operational risks for financial institutions and different potential privacy risks for consumers.
Captive Direct - In the captive-direct offshoring form, financial institutions use their own organizations in lower-cost, offshore locations, known as captive centers. Because captive centers require a sizeable up-front investment, only larger institutions have the necessary resources to use this form. In theory, captive-direct offshoring poses lesser risks to an organization than any of the other forms, because dedicated management from the parent company directly oversees the offshore operations. Companies such as ABN Amro, American Express, General Electric, JP Morgan Chase, Mellon Financial, Standard Chartered, and Citibank have wholly-owned captive centers in India and other countries.
Joint Venture - This form of offshoring occurs when domestic institutions partner with a foreign entity for shared control of foreign operations. In general, because control is shared with the foreign enterprise, this method of offshoring has higher risk potential than the wholly-owned, foreign, captive-direct form. Still, because of ability to exercise control through majority ownership of the venture (or partial control with a 50 percent or less share of ownership), this form, in general, has less risk associated with it than the direct and indirect third-party contracting forms described below.
Direct Third Party - In the direct third-party form, institutions outsource operations to a third-party vendor located offshore. Institutions such as Bank of America, Deutsche Bank, and Merrill Lynch have established direct third-party arrangements with vendors in India. Because financial institutions have no ownership authority in this form, their controls over this working arrangement are limited to the contract terms agreed to with the third-party vendor, thereby making this form potentially more risky than either the captive or joint venture forms.
Indirect Third Party - The indirect third-party form of offshoring typically occurs when a domestic financial institution enters into a contract with a domestic data vendor, who then subcontracts out all or a part of the work to an offshore company. (Typical data vendor contracts often contain provisions that allow for subsequent subcontracting of work. See Appendix B.) As a result, data can be sent overseas at the discretion of the domestic third-party vendor without further notification to the domestic financial institution. This offshoring form has the highest associated risk and potential for breaches of privacy rules, because controls may not exist to preserve the integrity of customer and bank data.
Some of the risks that may emerge when financial institutions use a third party data or other service provider are presented in this section. Appendix C contains a more detailed listing of risks from outsourcing and offshoring. It is important to recognize that among the different risks posed by outsourcing, only country risk is unique to offshoring; however, offshoring can introduce additional complications to standard outsourcing risks.
Country Risk - Includes the political infrastructure, socio-economic conditions, and related issues pertaining to a particular country and how a change in any of these might affect the ability of an offshore third party to fulfill their contract obligations. This type of risk could also be influenced by the relationship between the U.S. and the host-country bank supervisor and the concern that the current relationship can always change in the future.
Some specific areas with potential for offshore fraud were identified in the course of this study. It is worth noting that these examples of potential fraud could as well occur domestically as offshore. Still, institutions need to be aware of the potential for heightened exposures that exist for these riskier activities. Beyond just the risk for loss of data privacy, the risk of funds diversion exists because of the nature of the information being handled by subcontractors. Some examples, identified by data service providers we spoke with include:
Letters of Credit exception handling. In this scenario, workers are provided full access to bank account numbers of the parties involved and all other documentation associated with the Letter of Credit.
Back office processing of foreign exchange. In this subcontracted activity, offshore workers have processing responsibilities along with full access to all relevant information needed to transact non-automated currency settlements and clearings.
Administration of commercial lending. Offshore workers have processing responsibilities along with full access to loan data throughout the life of the loan.
Staff compiling this study were also informed by one data vendor that a specific form of country risk exists in the case of foreign organized crime activities. These criminal elements reportedly have targeted foreign offshore enterprises in attempts to gain access to the data they process. Reportedly, one foreign organized crime group has attempted to buy existing call centers, set up their own call centers and tried to bribe workers to gain access to data and information.
Reputation Risk - Is the risk to earnings or capital arising from negative public opinion. This affects an institution's ability to establish new relationships or services or to continue servicing existing relationships. This risk is present in activities such as outsourcing and particularly in the offshore-outsourcing of work.
Operations/Transactional Risk - Includes the risk to earnings or capital that arises from problems with service or product delivery. The lack of an effective business resumption plan and appropriate contingency plans increase transaction risk.
Compliance Risk - Is the risk to earnings or capital that arises from violations of laws or regulations or nonconformance with internal policies or ethical standards. This risk exists when the activities of a third party are not consistent with the law, policies, or ethical standards of the financial institution. Also, the risk is exacerbated by an inadequate oversight and audit function.
Strategic Risk - Is the risk to earnings or capital that may arise from adverse business decisions or improper implementation. The use of a third party to perform banking functions or to offer products or services that do not help the financial institution achieve corporate strategic goals and provide an adequate return on investment expose the financial institution to strategic risk.
Credit Risk - Is the risk to earnings or capital that arise from the obligor's failure to meet the terms of any contract with the financial institution or to otherwise perform as agreed. The basic form of credit risk involves the financial condition of the third party itself. Appropriate monitoring by the financial institution of the third party's activity is necessary to ensure that credit risk is understood and remains within board-approved limits.
Consumer Privacy and Other Operational Risks Will Vary By Institution, Business Model, and Type of Function That Is Offshored
There is a heightened exposure to reputation risk for financial institutions that jeopardize the security and integrity of private consumer data at any point in the chain of the work being offshored. Such risks cannot be fully assessed without a complete understanding of the resulting arrangement; which in itself, may be a function of factors intrinsic to the individual financial institution, contractual arrangement, or business situation. Insufficient management and control of these risks may have significant financial ramifications, including high legal costs, credit losses, increased operating costs, loss of business, and other direct and indirect costs. It is important that management understand and evaluate these potential risks so that a thorough assessment can be made before deciding to enter into a third-party agreement.
Specific risk exposures may include problems related to inadequate contractual provisions governing control, security, and audit responsibilities. Various employee-risk issues differ significantly in different offshore arrangements. For instance, background checks of employees involving credit-bureau information, criminal records, or even drug testing results are standard requirements in the United States. The ability to obtain the same types of reviews in many other countries is questionable.
Financial institutions may also have intrinsic characteristics that mitigate risk. Some institutions may have previous experience working in a particular country. Multinational financial institutions may already have offices in the country where offshoring takes place, providing better access to legal, operational, and managerial expertise. Also, the location of sensitive data affects an institution's risk exposure. Data that is physically located at a U.S. facility, even if it is accessed by overseas vendors, may provide greater control over security.
As illustrated in Chart 3 the principal offshoring business models hold varying amounts of risk.
Chart 3: Forms of Offshoring and Their Associated Risks
Also, privacy risks vary by job type. For instance, relatively lower-risk activities include computer source-coding or application development and maintenance; whereas higher-risk activities include any function using personal data, such as call centers or transaction processing.7 At present, financial institutions offshore IT work in addition to higher-risk, customer data-based type work including mortgage servicing and customer-assistance/help-desk services.
Protections for Customer Information Sent Offshore
For each form of offshoring (captive, joint venture, direct third party, and indirect third party) nothing precludes the offshore transfer of customer data by a financial institution or one of its service providers. Financial institution customers may not opt out of these information transfers to nonaffiliated service providers if the transfer is for a purpose described in section 502(e) of the Gramm-Leach-Bliley Act (GLBA). For example, the opportunity to opt out does not apply where the information transfer is to:
service or process a financial product or service that the customer requested or authorized; or
maintain or service the customer's account.
However, GLBA does provide important protections that cover both domestic and offshore outsourcing. GLBA establishes affirmative and continuing obligations for financial institutions to respect customer privacy and protect customer personal information against reasonably foreseeable internal or external threats to its security, confidentiality, and integrity. The Federal Banking Agencies (FBAs) have extended these obligations to include the monitoring of the activities of those service providers to which financial institutions transfer customer information.
§ 501(a): It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers' nonpublic personal information.
§ 501(b): In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards.
The FBAs issued identical Guidelines pursuant to § 501(b). Those Guidelines provide that each financial institution shall: (1) exercise appropriate due diligence in selecting service providers; (2) require them by contract to implement appropriate measures designed to meet the objectives of the Guidelines; and (3) where indicated based upon the institution's risk assessment, monitor the service providers to confirm that they implement the procedures required by the Guidelines. 12 CFR 364.101, App. B ¶ III.D.
Responsibilities of Directors and Officers
Financial institution directors and management remain liable for their responsibilities to the institution and the consequences of all outsourcing decisions. The board of directors and management have the responsibility to make sure systems and controls are established and maintained for the security and integrity of outsourced data, whether the service provider is domestic or foreign. Institutions that transfer internal services to third parties have the same risk management, security, privacy, and other consumer protection responsibilities as if the institution conducted the activities itself. The board of directors and management have the responsibility to ensure that the third-party activity is conducted in a safe and sound manner and is in compliance with policies and applicable laws.
7 Even relatively lower-risk activities such as source-coding or software development may pose operations risks and threats to privacy of data should offshore, contract programmers operate with malicious intent.